Python Ships Urgent Bugfix Releases: Version 3.14.2 and 3.13.11 Address Regressions and Security Vulnerabilities

Overview

Just three days after the previous round of updates, the Python team has released two new maintenance versions: Python 3.14.2 and Python 3.13.11. These expedited releases target critical regressions discovered in the latest updates, along with several security fixes. Users are encouraged to upgrade promptly to maintain stability and security.

Python 3.14.2: Second Maintenance Release

This is the second maintenance update for the 3.14 series, containing 18 bugfixes, build improvements, and documentation changes since Python 3.14.1. The release focuses on fixing regressions that could disrupt development workflows and runtime behavior.

Key Regressions Fixed

• gh-142206: Exceptions occurring in multiprocessing when running programs while upgrading Python, which could break parallel processing.
• gh-142214: Exceptions in dataclasses when a class lacks an __init__ method, leading to unexpected errors.
• gh-142218: Segmentation faults and assertion failures in insertdict, a core dictionary operation that could crash the interpreter.
• gh-140797: Crash when using multiple capturing groups in re.Scanner, affecting complex regular expressions.

Security Updates

• gh-142145 (CVE-2025-12084): Removed quadratic behavior in node ID cache clearing to prevent a potential denial-of-service attack.
• gh-119452: Fixed a potential virtual memory allocation denial of service in http.server that could exhaust system resources.

For a complete list of changes, refer to the full changelog for Python 3.14.2.

Python 3.13.11: Eleventh Maintenance Release

This update for the Python 3.13 series addresses regressions similar to those in 3.14.2, ensuring compatibility and reliability across both active release lines.

Key Regressions Fixed

• gh-142206: Same multiprocessing exception issue as in 3.14.2.
• gh-142218: Same segmentation fault in insertdict.
• gh-140797: Same crash with multiple capturing groups in re.Scanner.

Security Updates

• gh-142145 (CVE-2025-12084): Identical quadratic behavior fix in node ID cache clearing.
• gh-119451: Fixed a potential denial of service in http.client that could be triggered by malicious input.
• gh-119452: Same virtual memory allocation fix in http.server as in 3.14.2.

Detailed release notes are available on the Python 3.13.11 download page.

Common Security Fixes

Both releases share the CVE-2025-12084 fix, which eliminates a quadratic time complexity flaw in the node ID cache. This vulnerability could be exploited to cause excessive CPU usage and denial of service. Additionally, the http.server fix (gh-119452) prevents virtual memory exhaustion, while the 3.13 branch also benefits from an extra fix in http.client (gh-119451) that guards against input-based denial-of-service attacks.

Acknowledgments

These releases would not be possible without the dedicated efforts of the Python development community. The release team—Hugo van Kemenade, Thomas Wouters, Ned Deily, Steve Dower, and Łukasz Langa—extends gratitude to all volunteers who contributed fixes, tests, and reviews. Consider supporting the Python Software Foundation through volunteering or corporate sponsorship to sustain this vital open-source project.

How to Update

To upgrade to the latest version, visit the official Python downloads page for Python 3.14.2 and Python 3.13.11, or use your package manager (e.g., pip for virtual environments). After upgrading, run your test suite to ensure compatibility with the newly patched modules.

Stay tuned for further maintenance updates, and happy coding!